Re: [Samba] Fwd: getent group fails - fixed
Quoting Dermot (paik...@googlemail.com): Perhaps I am not understanding you correctly because that runs counter my experience. The settings in my /etc/ldap/ldap.conf were correct whereas the ones in /etc/libnss-ldap.conf were not. It was the search filters from libnss-ldap.conf that were being used when I did `getent group`. I think your telling me that getent is tied to the nss framework so would use that config because that's what I told nsswitch.conf to do. I would have thought, but I am no expert, that samba would have used the config from smb.conf and that ldapsearch (and anything else that didn't have hooks else where) would use /etc/ldap/ldap.conf. Please note that Debian has *two* packages for nss-ldap: mykerinos:/home/cperrier# apt-cache search nss ldap naming service libnss-ldap - NSS module for using LDAP as a naming service libnss-ldapd - NSS module for using LDAP as a naming service IIRC (but you probably want to check this), the latter is more actively maintained than the former. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
On 24 June 2011 05:48, Christian PERRIER bubu...@debian.org wrote: Quoting Dermot (paik...@googlemail.com): Perhaps I am not understanding you correctly because that runs counter my experience. The settings in my /etc/ldap/ldap.conf were correct whereas the ones in /etc/libnss-ldap.conf were not. It was the search filters from libnss-ldap.conf that were being used when I did `getent group`. I think your telling me that getent is tied to the nss framework so would use that config because that's what I told nsswitch.conf to do. I would have thought, but I am no expert, that samba would have used the config from smb.conf and that ldapsearch (and anything else that didn't have hooks else where) would use /etc/ldap/ldap.conf. Please note that Debian has *two* packages for nss-ldap: mykerinos:/home/cperrier# apt-cache search nss ldap naming service libnss-ldap - NSS module for using LDAP as a naming service libnss-ldapd - NSS module for using LDAP as a naming service IIRC (but you probably want to check this), the latter is more actively maintained than the former. I asked about that on the samba IRC two days ago: (14:33:17) : On my distro (Debian), I have two options for NSS 1) libnss_ldap and 2) libnss_ldapd (Source: nss-pam-ldapd) . Does anyone know which one I should use? now I have my answer but it looks like I installed the lesser maintained version :/ libnss_ldap.so.2 (libc6,x86-64) = /lib/libnss_ldap.so.2 libnss_ldap.so (libc6,x86-64) = /usr/lib/libnss_ldap.so libnss_ldap-2.7.so (libc6,x86-64) = /lib/libnss_ldap-2.7.so Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
Nice find! good work Aly Sent from my BlackBerry device on the Rogers Wireless Network -Original Message- From: Dermot paik...@googlemail.com Sender: samba-boun...@lists.samba.org Date: Thu, 23 Jun 2011 13:00:55 To: samba@lists.samba.org Subject: [Samba] Fwd: getent group fails - fixed Found it. It turns out that the config file for libnss-ldap is /etc/libnss-ldap.conf on my distro (Debian). So NSS was ignoring the config that I had been in /etc/ldap/ldap.conf and taking it from /etc/libnss-ldap.conf. The former had this nss_base_group ou=Groups,dc=example,dc=co,dc=uk?sub and the latter this nss_base_group ou=group,dc=example,dc=co,dc=uk?one. Once I edited group to Groups, it started working. Package: libnss-ldap Priority: extra Section: net Installed-Size: 304 Maintainer: Richard A Nelson (Rick) ... Architecture: amd64 Version: 261-2.1 Depends: libc6 (= 2.7-1), libcomerr2 (= 1.01), libkrb53 (= 1.6.dfsg.2), libldap-2.4-2 (= 2.4.7), libsasl2-2, debconf | debconf-2.0 Recommends: nscd, libpam-ldap ... Hope that saves someone the (huge) amount of time it's taken me to figure out where this problem was. Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
On Thu, Jun 23, 2011 at 01:00:55PM +0100, Dermot wrote: Found it. It turns out that the config file for libnss-ldap is /etc/libnss-ldap.conf on my distro (Debian). So NSS was ignoring the config that I had been in /etc/ldap/ldap.conf and taking it from /etc/libnss-ldap.conf. As far as I'm aware, most of the distributions use a separate configuration file for libnss-ldap, allowing /etc/ldap/ldap.conf to be used for the generic configuration of user ldap searches (as it is intended) and not have those constrained by the very specific needs of nsswitch. This separation is more than just a convenience. At my workplace, I have an LDAP directory as the backing for nsswitch and as the passdb/idmap backend for Samba. Samba's ldap searches are affected by anything that goes into /etc/ldap/ldap.conf, which would cause problems if the nsswitch-specific settings had to be stored there. -- Bruce Vajazzle - giving new meaning to the phrase I'll scratch your eyes out. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
On 23 June 2011 13:14, Bruce Richardson wrote: On Thu, Jun 23, 2011 at 01:00:55PM +0100, Dermot wrote: Found it. It turns out that the config file for libnss-ldap is /etc/libnss-ldap.conf on my distro (Debian). So NSS was ignoring the config that I had been in /etc/ldap/ldap.conf and taking it from /etc/libnss-ldap.conf. Samba's ldap searches are affected by anything that goes into /etc/ldap/ldap.conf, which would cause problems if the nsswitch-specific settings had to be stored there. Perhaps I am not understanding you correctly because that runs counter my experience. The settings in my /etc/ldap/ldap.conf were correct whereas the ones in /etc/libnss-ldap.conf were not. It was the search filters from libnss-ldap.conf that were being used when I did `getent group`. I think your telling me that getent is tied to the nss framework so would use that config because that's what I told nsswitch.conf to do. I would have thought, but I am no expert, that samba would have used the config from smb.conf and that ldapsearch (and anything else that didn't have hooks else where) would use /etc/ldap/ldap.conf. # /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap Your workplace configuration sounds like what I am trying to deploy at mine. I'll be back. Thanks, Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
On Thu, Jun 23, 2011 at 02:20:56PM +0100, Dermot wrote: I would have thought, but I am no expert, that samba would have used the config from smb.conf and that ldapsearch (and anything else that didn't have hooks else where) would use /etc/ldap/ldap.conf. In smb.conf you specify those things which have meaning only to samba. But the non-samba-specific bits are configured in /etc/ldap/ldap.conf. For example, if you are using ldaps or ldap+tls (which you really should), how are you going to tell samba where to find the CA cert that authenticated the certs of your ldap servers? Answer: you put the correct ssl-relevant config into /etc/ldap/ldap.conf (or /etc/openldap/ldap.conf on RedHat-based distributions). Samba is using the openldap client libraries, after all. -- Bruce The ice-caps are melting, tra-la-la-la. All the world is drowning, tra-la-la-la-la. -- Tiny Tim. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
